[isapros] Re: ISA 2004 issue - cache only/single homed
- From: "Greg Mulholland" <gmulholland@xxxxxxxxxxxx>
- To: isapros@xxxxxxxxxxxxx
- Date: Tue, 26 Feb 2008 11:19:41 +1000 (EST)
proxy2 :)
Greg
> Well, something was obviously
wrong.. without logs, details, etc, we won't
> be able to help.
But, a rule is a rule. If the rule is properly created
> and
applied, then it will work.
>
>
>
> If
you are worried about "relying" on a rule or not, or how to
basically
> bypass ISA functionality, then uninstall ISA,
download squid, and be done
> with it...
>
>
>
> t
>
>
>
>
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Zoran Marjanovic
> Sent: Monday, February
25, 2008 5:03 PM
> To: isapros@xxxxxxxxxxxxx
> Subject:
[isapros] Re: ISA 2004 issue - cache only/single homed
>
>
>
> Hi T,
>
>
>
> Thanks for the info. I read the script and its description and
figured out
> that it prevents stopping the firewall service in
case of logging failure
> and that ISA enters LD when its
firewall service is stopped. I have not
> tried it yet.
>
>
>
> When you create 2 identical (and
very simple - web publishing) rules in 20
> minutes using ISA's
rule wizard, and the first time it fails and the
> second time it
works, then I would not say it was me. This happened to me
> (and
other people I know) many times during several years on both ISA 2004
> and 2006 on completely different systems. I did not ask you to
explain (or
> whatever) this, I just said that I would not rely
on the "allow all" rule
> if I do not have to.
>
> Zoran
>
> ----- Original Message ----
>
From: Thor (Hammer of God) <thor@xxxxxxxxxxxxxxx>
> To: isapros@xxxxxxxxxxxxx
> Sent: Tuesday, 26
February, 2008 11:45:16 AM
> Subject: [isapros] Re: ISA 2004
issue - cache only/single homed
>
> The script I linked
to actually does disable lockdown mode itself -- I've
> used it
many times before. But, as I said, it also works to disable the
>
alerts that cause lockdown. Dr. Shinder actually pointed this out to me
> to help with a logging issue I had that was causing lockdown.
>
>
>
> I really didn't want to
completely disable LD mode, but at the time didn't
> know I could
just disable alerts individually. But, as stated, the script
>
does disable LD.
>
>
>
> If you want
caching, the firewall service has to be running. I'm not sure
>
what problems you had with rules working, but it had to be something you
> (or whoever) were not doing properly. Rules don't "work
one time and not
> the other."
>
>
>
> But, the allow all from all will 'work' so I'm not sure
what else to tell
> you...
>
> t
>
>
>
>
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-bounce@xxxxxxxxxxxxx]
> On Behalf Of Zoran
Marjanovic
> Sent: Monday, February 25, 2008 4:37 PM
>
To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: ISA 2004 issue
- cache only/single homed
>
>
>
> Hi
T,
>
>
>
> Thanks for your help. I saw
the script and found out that it does not
> disable the lockdown
mode itself.
>
>
>
> ' Get a reference
to the "Log failure" alert object,
> ' and modify it so
that it will not stop the Firewall service.
> ' Ensure that the
DropConnectionOnLogError property
> ' is set to False.
>
>
>
> "By default, the built-in Log
failure alert shuts down the Firewall
> service. This alert is
triggered by the Log failure event, which is raised
> when a
logging failure occurs. You can prevent logging failures from
>
causing ISA Server to go into lockdown by disabling the action of the Log
> failure alert that shuts down the Firewall service."
>
> I wanted to stop the firewall service manually (and
disable it). I spent
> several hours on the Internet and did not
find anything that could help or
> even explain what can be done.
>
> I am not sure that the "allow all" rule
really takes care of it. I
> experienced faulty rules on both ISA
2004 and 2006, you know, you crate it
> and it does not work.
Then you delete it and recreate the identical one,
> and then it
works. I experienced a similar problem on Vista's firewall
>
while setting RDP communication. That is why I wanted to turn firewalling
> off completely.
>
> I am not responsible for
this system, but I know that it's a multi-site
> system with 1
Internet connection. They run ISA 2004 (array) firewall on
> the
exit point. The ISA in question is located in a branch office which is
> connected to the main office.
>
> The guys who
manage this school asked my boss to borrow me in order to
> help
them with the specific problem. They did not want (unfortunately) to
> discuss about what/how/why they did so far. It looks like they have
very
> limited resources.
>
>
>
> That's pretty much it.
>
>
>
>
Thanks.
>
>
>
> Zoran
>
> ----- Original Message ----
>
From: Thor (Hammer of
God) <thor@xxxxxxxxxxxxxxx>
> To: isapros@xxxxxxxxxxxxx
> Sent: Tuesday, 26 February, 2008 1:27:38 AM
> Subject:
[isapros] Re: ISA 2004 issue - cache only/single homed
>
> The guy hasn't even logged on to the box yet... Let's not beat on
him out
> of the gate, shall we?
>
> Zoran,
though your configuration is not supported, and indeed doesn't
>
provide any firewall features, it looks like they don't want it to
> anyway...
>
> Yes, you can disable lockdown mode
entirely on 2004:
>
http://www.microsoft.com/technet/isa/2004/plan/disablelockdownonlogfailure.mspx
>
> You can also disable the events that cause lockdown
mode if you would like
> in Alerts. In order to cache, the
firewall service would need to be
> running, but it looks like
the "allow all" rule is already taking care of
> that.
>
> I take it this box is not connected to the internet,
and that you've got
> some NAT device as the "router,"
right? If you now in charge of this
> environment, then at least
give them the protection they have paid for and
> move the DC to
the SMS box and stick the ISA box at the border. Putting
> the DC
on the ISA box is always a bad idea and breaks the security model,
> no matter what the circumstances -- now, in your case, you really
don't
> have an "ISA" box, but rather, just a box
inside the network that you
> wanted to turn into a caching
proxy.
>
> As you can tell, not only is the
configuration not supported, but when we
> see people talking
about this type of hork, it gets under our craw a bit
> as it
illustrates that someone is purposefully going out of their way to
> build the worst possible configuration for the product.
>
> hth.
>
> t
>
>>
-----Original Message-----
>>
From:
isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
>>
bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
>> Sent:
Monday, February 25, 2008 6:07 AM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA 2004 issue - cache only/single
homed
>>
>> (there is a rule "allow
all") - <WHIMPER>
>> ISA has ceased to protect the
server where it resides.
>> This is the example your school
creates for its students?!?
>>
>> Point your
school network admins to this link:
>>
http://www.microsoft.com/technet/isa/2004/plan/unsupportedconfigs.mspx
>>
>> -----Original Message-----
>>
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
>>
bounce@xxxxxxxxxxxxx] On Behalf Of Zoran Marjanovic
>> Sent:
Sunday, February 24, 2008 8:35 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] Re: ISA 2004 issue - cache only/single
homed
>>
>> Thanks Thomas.
>>
>> It's a school and they insisted on it. Interestingly, DC works
fine and
>> clients have no problems at all (there is a rule
"allow all", I was
>> told).
>> The
problem their admin experienced was related to accessing a share
>> hosted on this ISA box by their MS SMS (another box).
>> I have not logged on the server yet so I am not sure what
errors they
>> got and how it really looks. My first thought
was to simply shut
>> firewalling down, since they do not need
it. I will probably check it
>> today and will let you know if
I figure out what was the issue.
>>
>> Cheers,
>>
>> Zoran
>>
>>
>> ----- Original Message ----
>>
From: Thomas W
Shinder <tshinder@xxxxxxxxxxx>
>> To:
isapros@xxxxxxxxxxxxx
>> Sent: Monday, 25 February, 2008
2:43:17 PM
>> Subject: [isapros] Re: ISA 2004 issue - cache
only/single homed
>>
>>
>>
>> The ISA firewall is NOT supported on a DC, so
it’s a moot question.
>>
>>
>>
>>
From: isapros-bounce@xxxxxxxxxxxxx
[mailto:isapros-
>> bounce@xxxxxxxxxxxxx] On Behalf Of Zoran
Marjanovic
>> Sent: Sunday, February 24, 2008 8:33 PM
>> To: isapros@xxxxxxxxxxxxx
>> Subject: [isapros] ISA
2004 issue - cache only/single homed
>>
>>
>>
>> Hi guys,
>>
>>
>>
>> It is a "multi-practic" server :), Win
2003 SP1, DC, ISA, file
>> server... huh, with only 1 NIC.
>>
>>
>>
>> Could you please
confirm that Lockdown mode in ISA 2004 cannot be
>> disabled?
(I think I saw it somewhere but cannot find it now)
>>
>> Also, is it possible to install ISA without its firewall
service
>> because all I need is caching?
>>
>>
>>
>> Thanks a bunch!
>>
>>
>>
>> Zoran
>>
>>
>>
>>
>>
>>
>>
>> ________________________________
>>
>> Get the name you always wanted with the new y7mail email
address
>>
<http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http:/au.yahoo
>>
.com/y7mail/?p1=ni&p2=general&p3=tagline&p4=other> .
>>
>>
>>
>>
________________________________
>>
>> Get the
name you always wanted with the new y7mail email address
>>
<http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http://au.yaho
>>
<http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http:/au.yaho>
>>
o.com/y7mail/?p1=ni&p2=general&p3=tagline&p4=other> .
>
>
>
>
>
>
________________________________
>
> Get the name you
always wanted with the new y7mail email address
>
<http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http:/au.yahoo.com/y7mail/?p1=ni&p2=general&p3=tagline&p4=other>
> .
>
>
>
>
>
> ________________________________
>
> Get the name
you always wanted with the new y7mail email address
>
<http://au.rd.yahoo.com/mail/taglines/au/y7mail/default/*http:/au.yahoo.com/y7mail/?p1=ni&p2=general&p3=tagline&p4=other>
> .
>
>
Other related posts:
